Hole found in Android code base

@ 2013/07/05

The Android code has a hole that allows a hacker to modify a digitally signed Android application package file and not break its cryptographic signature which would normally set off a red flag that something is amiss.

Security experts at Bluebox Security will disclose details on the vulnerability at the upcoming Black Hat Briefings in Las Vegas next month.

Some handset vendors have patched the problem and Google will release a patch to the Android Open Source Project (AOSP).

Bluebox chief technology officer Jeff Forristal said that the vulnerability affects multiple generations of Android devices for the last four years. Nearly 900 million devices are potentially affected.

The best case scenario is that an Android device would be jailbroken, but it is possible for an attacker to inject a legitimate application with malware that could enable the attacker to read corporate data such as email, make phone calls, send SMS messages, or even retrieve passwords and account information.

Normally applications are digitally signed to establish or confirm the identity of the developer and the signatures also ensure that any future updates are issued only by the application's developer.

However, Forristal claims this can be done by not breaking the signature. This makes it possible to update any application on a phone and get access to data.

Applications developed and pre-installed by handset manufacturers that are platform-signed are granted system level access, one layer away from root access.

This means that if you can get your hands on a platform-issued application, you can get full access to the system and that includes applications, accounts, passwords—everything the OS is in charge of handling.

Forristal told Threatpost that the fix is relatively painless and involves two lines of code in a very specific location. It requires a firmware update to the device, but fixing the bug is simple. It's more complicated to issue a firmware update.